Why Should I Care How I Log In?
Do you work with sensitive or confidential information? I am sure you do and as you continue reading, you will learn more about two security models that are worth investigating and implementing in your business environment. This article briefly focusses on Multi-Factor Authentication and Single Sign-On while defining two additional processes that extend security to harden the network.
What are these two security models and what are the differences between them? Are they complementary or competitive in their support of logins and security? Let’s begin with their definitions:
Multi-Factor Authentication (MFA):
An electronic method where the end user signing into a website or application is prompted to enter two or more verifiable details as authentication evidence.
Single Sign-On (SSO):
An authentication process that allows a secure log in, across multiple websites, applications, or related services without having to reenter login credentials. This process is based on a trust relationship for a secure login by using a tool (OKTA, DUO, OneLogin…) to build a token that is entered to authenticate the user.
These security models are complementary to each other. They provide enhanced security and can be used independently or in conjunction without impacting the end user.
MFA is inexpensive to create and manage as the end user manages their responses. This security model is just one step above simply using a username and password.
Often MFA is referred to as the Q&A for login.
Examples: What is your mother’s maiden name? What is the name of the hospital where you were born?
Sometimes, MFA gets confused with two-factor authentication (2FA). 2FA adds additional security layers, such as randomly generated tokens or biometrics.
Conversely, SSO requires the use of other tools, knowledge, and intervention by an end user during the login process. That intervention may be in the form of a smart phone application or phone call that prompts the end user when logging into a system. This security model leverages more advanced identity management tools to mitigate risks. These models could include the use of a smart card, Security Assertion Markup Language (SAML), Kerberos, a location factor like GPS, or even a knowledge factor (PIN).
Examples: The end user begins to log onto their computer. The computer sends a prompt to the end user’s desk phone to authorize access.
A smart phone application prompts the end user to Approve/Deny access.
Do I have to use an authentication process?
The first answer, speak with your information technology (IT) team. They will know what processes, tools, and options are currently in use or could be deployed in your environment. They will know any compliance or regulatory requirements associated with your business and can address your questions. To answer a few more questions, please continue reading:
- MFA and SSO are best used together.
- If you have highly sensitive information, 2FA is worth investigating. 2FA extends MFA by using biometrics and/or time sensitive and rotating codes.
- Adding a Secure Socket Layer Virtual Private Network (SSL-VPN) with a Zero Trust Network Access (ZTNA) policy and procedures to your organization will exponentially expand security.
As mentioned above, using MFA and SSO together provides security; however, extending those security requirements hardens your network from cyber-attacks. Leveraging “next generation” technologies in security can keep your resources from being easily attacked but can also open up access for mobile users making their work environment user friendly and similar to that when onsite.
Installing an SSL-VPN makes the “onsite versus offsite” access to network resources a moot issue. Services can be delivered to offsite users with relative ease, is managed, and supportable. This includes printing to the office, accessing file shares, and using applications that are only available when on-network.
- SSL-VPNs provide direct access, via a tunnel, to an endpoint on the corporate LAN. This can be a workstation, server, application, file share, printer, or service.
Installing a ZTNA appliance provides more granular level access control. Through this tool, applications, services, file storage, etc. can be allowed or denied, depending on the end user or their needs.
- ZTNA will only provide access to authorized applications and services.
When dealing with your organization’s sensitive information and security concerns, it’s important to start the conversation with your IT department. However, I hope this information provided you with a better understanding of the different types of security models available.